Business Continuity Management Planning Methodology

Transcription

1 , pp Business Continuity Management Planning Methodology Dr. Goh Moh Heng, Ph.D., BCCLA, BCCE, CMCE, CCCE, DRCE President, BCM Institute Managing Director, GMH Continuity Architects Abstract This paper explains the concept of business continuity management (BCM) with the specific focus on the BCM planning process and methodology. Before entering into the maintenance phase of any BCM program, the Organization BCM Coordinator needs to ensure that the project phases of the BCM planning methodology are succinctly implemented to meet the organization s BCM objectives. This paper is an update of an earlier paper written in 1996 incorporating the author s subsequent experiences and implementation while he is working in the financial regulatory environment. This BCM methodology is aligned with the BCM standard ISO The intent in the following dialog is to explain the BCM planning process briefly. Keywords: Business Continuity planning methodology, Project Management, Risk Analysis and Review, Business Impact Analysis, Business Continuity Strategy, Plan Development, Testing and Exercising, Program Management, ISO Introduction Business Continuity Management [1] is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Businesses are subject to disruptions of varying severity. An incident, emergency or event, if not managed properly, can escalate to become a disaster or crisis. Besides creating an unplanned disruption that can tarnish an organization's image, in the extreme case, this incident if not properly managed can result in significant physical or environmental damage. It may cause significant injuries to employees or even death. For example, a fire outbreak if not brought under control quickly can result in grave consequences. Organizations should, therefore, be prepared for an incident before it occurs to minimize its impact should it happen. 2. BCM Planning Methodology The BCM planning methodology (Figure 1), like any other planning process, provides a framework for requirements, effort, and deliverables, each phase leading into the next in an endlessly repeating cycle. In real life, many of the steps or phases can be conducted concurrently. While these steps provide visual clues as to the amount of execution time to take, they are used as a reference and do not represent an absolute percentage of the time. ISSN: IJDRBC Copyright c2015 SERSC

2 Figure 1. BCM Planning Methodology This BCM planning methodology [2] started with the author being tasked to develop and implement a business continuity planning methodology for a large international UKbased bank. The planning methodology has been subjected to the rigor of both successful global implementation of BC plans for the bank's 52 franchisees. This methodology has been subjected to the highest level of academic scrutiny as part of a Doctor of Philosophy dissertation [3]. In researching for this thesis, more than 200 types of proprietary BCM processes and methodologies had been evaluated. For more than a decade since the completion of the thesis, the BCM planning methodology had undergone an evolutionary process of continuous improvement, to form the framework for BCM Institute s training curriculum. 3. Definition As defined in BCMPedia [4], the BCM planning methodology is the planning process for the implementation of any BC plan. The phases are as follows: Project Management. Risk Analysis and Review. Business Impact Analysis. Business Continuity Strategy. Plan Development. Testing and Exercising. Program Management. 4. Project Management The first step in implementing the BCM planning methodology in any organization is to set up the needed Executive Management structure, to support the BCM planning process [5]. Here is where we confirm the inclusion of the business units and the business functions in the scope and the roles and responsibilities of each party participating in the project. This inclusion is to ensure the efficient completion of task assignments and time goals, which will have to be set at a later stage of the project. The BC project planning team will need to: Obtain the commitment of Heads of Business Units and their staff members, and involve them in the BCM planning process. 10 Copyright c 2015 SERSC

3 Identify and mobilize the business units resources. Begin the information gathering process What does the Project Management Entail? The entire project management process involves the following steps. Establish the need for BCM planning. Research the work in the areas of BCM. Develop a BCM planning framework. Define the scope, objectives, and assumptions. Manage the BCM planning process. Establish a BCM project planning committee and team. Develop an action plan and schedule. Establish a budget. Obtain commitment and approval. Manage deadlines and milestones. Build and maintain teamwork. The detailed breakdown of the steps can be found in the first book [1] of the BCM Book Series. 5. Risk Analysis and Review The Risk Analysis and Review phase is the detailed analysis of risks, vulnerabilities (exposures) and probabilities [6] and is a component of risk assessment. The Risk Analysis & Review phase along with the following Business Impact Analysis phase is key fundamental elements of an organization s BCM Program. The Risk Analysis & Review phase is not the end game but rather a starting point in the BCM planning process. It is an industry-recognized approach to helping an organization determine which disruptive events are they vulnerable. How to address these vulnerabilities and where they can maximize the value of the dollars they spend on their unique BCM efforts. The purpose of a Risk Analysis & Review phase is the mitigation or minimizing of the risks and threats to the organization. The major steps and considerations during the Risk Analysis & Review [7] process include: Assess the risk. Assess the control options. Assess the cost and the effectiveness of risk controls. Establish the Key Disaster Scenario. Report to the Executive Management. Implement, maintain and monitor the effectiveness of controls. Copyright c 2015 SERSC 11

4 6. Business Impact Analysis The Business Impact Analysis (BIA) phase refers to the process of identifying an organization s Critical Business Functions and analyzing the potential disruptive impact to the business [7]. The Business Impact Analysis phase is to: Assess the impact of a disruption to any functional area or business operations within the organization. Determine the extent to which primarily functional and operational dependencies exist within the organization. Establish the restoration priorities and sequence of the critical IT applications and essential business functions What does the Business Impact Analysis Process Entail? The entire Business Impact Analysis process involves the following steps: Gather Information. Design the Business Impact Analysis Questionnaires. Gather initial information about business functions, support systems and IT applications through the use of Business Impact Analysis Questionnaires. Verify and Analyze Information. Validate the content of the submitted Business Impact Analysis Questionnaires with Business Unit BCM Coordinators. Conduct face-to-face interviews with Business Unit BCM Coordinators to verify the accuracy of the information presented. Analyze information to determine priorities for recovery of business operations, systems, and IT applications. Establish a Recovery Time Objective for each Critical Business Functions, which is the time taken from disruption until recovery of services. Document and Present Findings. Prepare the executive summary and the Business Impact Analysis report. Include recovery priorities supported by graphs, charts, and other working aids. Present a set of findings to the Executive Management in written and oral reports. Update the Executive Management on the subsequent steps in the BCM planning process. 7. Business Continuity Strategy The development of the BC Strategy is the process to determine and select operating strategy to maintain or continue the critical business functions or product and services during a disaster [8] What does the Development of BC Strategy Entail? The entire BC Strategy [8] process involves the following stages: 12 Copyright c 2015 SERSC

5 Initiate the BC Strategy Project and Design. Understand the development process for BC Strategy. Evaluate current status and arrangement. Prepare a project plan. Develop and Consolidate BC Strategy. Design working document for completing the BC Strategy information. Conduct the BC Strategy workshop. Design and develop BC Strategy by the business units BCM coordinators and their heads. Review and consolidate submissions from business units by the organizational BCM project team. Finalize Strategy and Obtain Acceptance for the strategy. Validate design of the individual and corporate BC strategy. Finalize the corporate-level BC Strategy. Obtain approval from Executive Management. 8. Plan Development In the plan development phase [9], you will need to identify all the procedures and resources necessary to initiate the BC documentation. The BC plan will contain all the pertinent details from the Business Impact Analysis and BC Strategy Phases. The completed plan is an important document, as all staff in the business units will rely on it for instruction and guidance in the event of a disaster. It is, therefore, necessary for the BC plan to be well structured and developed in a series of logical steps. As the team proceeds, please keep in mind that the BC procedures should be entirely self-contained and simple to use. The BC plan will be based on all the procedures and priorities agreed upon by the executive management so that the need to refer or make decisions in a disaster will be kept to an absolute minimum What does the Plan Development Phase Entail? The entire Plan Development [9] process involves the following stages. Determine the Organization of the Plan Document. Design and develop BC plan template. Determine and finalize the recovery organization. Conduct a Plan Writing Workshop to Guide BC Plan Writers. Facilitate the completion of the plan template by individual business units BCM Coordinators. Finalize the production of the BC Plan. Validate the content of BC plans by business units' BCM Coordinators and Heads of Business Units for their completeness and coverage. Copyright c 2015 SERSC 13

6 Sign-off by heads of respective business units. 9. Testing and Exercising Testing & Exercising is needed to ensure the business continuity (BC) plan works [10]. The BC plan must be tested to prove its validity. Testing is intended to find errors and omissions in the BC plan procedures. These corrected omissions or errors can be reported to all concerned parties and subsequently. The process of simulating a recovery based on the procedures within the BC document also prepares the relevant staff to function at the alternate site and verifies the adequacy of the alternative site. Ultimately, the Testing & Exercising phase ensures the integrity of the complete business continuity plan, with appropriately documented procedures to handle all likely situations What does Testing and Exercising Entail? The entire Testing and Exercising [10] process involves the three main stages: Designing the Test Program. Executing the Test. Assessing and correcting the results of the tests and exercises. In stage 1, which is the Designing the Test Program, the components of this stages includes. The First Component is the development of a corporate-wide test and exercise program. The appointed person responsible for BC plan should develop this program, and it will be done in consultation with executive management. The program should identify all the tests and exercises that are required. The Second Component is for Specific Tests defined within the test program; the following questions should be asked? What is the aim of the test? What does each test try to prove? What is the scope of the test? To what extent do they wish to test? Who will be involved? Which components should they test? What is the method that will be used for conducting the test? How will the test be performed? The Third Component is an Evaluation mechanism that must be developed to assess whether the tests were successful. Specific, measurable criteria must be established to decide whether each test achieves a pass or fail result. In stage 2, this entails running the Test. Here is where the actual test is executed based on the planned scope of testing. In the last stage, the test results are assessed against the pre-determined criteria. An evaluation of the outcome of causes of any deviations, either through errors or omissions, and corrections are made to the BC plan. As part of the continuous improvement process, there is always a need to fine-tune the test plan where relevant, for future testing. The team should perform tests and exercises on all aspects of a BC plan, such as Information Technology (IT) system switch-over, telephone notification call trees, and evacuation methods. These tests should be discussed with relevant staff to determine the most appropriate model and test schedule. Testing helps identify vulnerabilities and changes in the organizational environment and allows the renewal of the BC plan accordingly. For the tests to be valid, it must challenge the recovery needs of the organization. Each member of the BC team is strongly recommended to be involved in some form of testing twice every year. A test policy to revise the readiness of their plans should be developed and published. 14 Copyright c 2015 SERSC

7 A mandatory corporate policy to perform "at least once per year" testing should be published and endorsed by Executive Management. This regular distribution of the resultant revised BC plans to all recovery personnel. 10. Program Management Once the BCM planning project completes, the next challenge is to keep the BCM program effort alive. It is essential to emphasize continuously that, in the event of a disaster, BCM is the key to ensuring the safety of all people in the organization as well as the survivability of the organization. The objective of the Program Management phase is to establish an on-going system to ensure the validity of critical business functions, BC Strategy and documented recovery procedures [11]. The ultimate goal is the recoverability of the business processes in the organization What does BCM Program Management Entail? Some of the activities that have to be completed under the Program Management [11] phase, and they ensure that the: BC Plan is consistent with the most current business operational setup. BC Plan is available, accessible and distributed to the recovery team. Maintain BC Plan to an acceptable standard, efficiency, and effectiveness. Planning efforts enable the prompt and correct response of the staff in a disaster. BC Plan is consistent with international standards. In summary, it is important to maintain the BC Plan regularly and updated and kept actually. The primary considerations in this process include the: Maintenance process. Incorporation of the training & awareness phase to institute it as part of the organizational training program. Development of advanced level testing and exercising. Constant review and audit of the BC plan and its preparedness. Embedding of the BCM mindset and culture into the organization. 11. Conclusion This planning methodology covers the Plan, Do, Check and Act components of the Plan-Do-Check-Act or PDCA cycle as mandated by any typical ISO management system. The intent is to ensure that BCM process develop a workable BC plan. The BCM planning methodology continues to be the cornerstone for all BCM planning activities. This methodology includes a requirement for Pandemic Flu planning [12], IT disaster recovery planning [13] and crisis management [14]. References [1] ISO, Editor, ISO22301:2012 Societal Security Business Continuity Management Systems Requirements, (1st ed., p. 24), International Organization for Standardization, Switzerland, (2012). [2] M. H. Goh, Developing a suitable business continuity planning methodology, Information Management & Computer Security, vol. 4, no. 2, (1996), pp [3] M. H. Goh, Editor, Business Continuity Planning for Banks in Asia: A Case Study in Standard Chartered Bank, University of South Australia, (1999). Copyright c 2015 SERSC 15

8 [4] M. H. Goh, Editor, CMpedia: A Wiki Glossary for Business Continuity Management, Crisis Management and Disaster Recovery (4th ed., p. 200), BCM Institute, Singapore. (2013). [5] M. H. Goh, Editor, Managing Your Business Continuity Planning Project (2nd ed., p. 166), GMH Pte Ltd, Singapore. (2008). [6] M. H. Goh, Editor, Analyzing & Reviewing the Risks for Business Continuity Planning, (2nd ed., p. 148), GMH Pte Ltd, Singapore, (2008). [7] M. H. Goh, Editor, Conducting Your Impact Analysis for Business Continuity Planning, (2nd ed., p. 130), GMH Pte Ltd, Singapore, (2008). [8] M. H. Goh, Editor, Developing Recovery Strategy for Your Business Continuity Plan, (1st ed., p. 104), GMH Pte Ltd, Singapore, (2005). [9] M. H. Goh, Editor, Implementing Your Business Continuity Plan, (2nd ed., p. 104). GMH Pte Ltd, Singapore, (2010). [10] M. H. Goh, Editor, Testing and Exercising Your Business Continuity Plan, (2nd ed., p. 160), GMH Pte Ltd, Singapore, (2006). [11] M. H. Goh, Editor, Managing & Sustaining Your Business Continuity Management Program, (1st ed., p. 190), GMH Pte Ltd, Singapore, (2007). [12] M. H. Goh, Editor, A Manager s Guide to to Implement Your Infectious Disease Business Continuity Plan, (1st ed., p. 128), GMH Pte Ltd, Singapore, (2015). [13] M. H. Goh, Editor, A Manager s Guide to Managing and Implementing Your IT Disaster Recovery Plan, (1st ed., p. 208), GMH Pte Ltd, Singapore, (2010). [14] M. H. Goh, Editor, A Manager s Guide to Implement Your Crisis Management Plan, (1st ed., p. 208), GMH Pte Ltd, Singapore, (2015). Author Dr. Goh Moh Heng, Dr Goh is the President of BCM Institute and the Managing Director of GMH Continuity Architects a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO organization certification. Prior to establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BCM and crisis management. At Standard Chartered Bank Plc, he saw to the global implementation of its BCM and planning. He also managed the BCM practice at PricewaterhouseCoopers. Currently, Dr Goh is an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012). In May 2012, Dr Goh Moh Heng became the first Asian in the 16th year of tradition, to be awarded the "Business Continuity Lifetime Achievement Award" in London, United Kingdom by the Continuity, Insurance and Risk (CIR) Magazine. In January 2013, Dr Goh Moh Heng received the National BCM Awards 2013 from Singapore Business Federation and SPRING Singapore. 16 Copyright c 2015 SERSC